Adaptable, All-in-One Android Trojan Exhibits the Way forward for Malware

GPlayed may be the new face of malware — flexible and adaptable, with a Swiss Army knife-like toolbox that can be used to target pretty much anyone.

A new Android trojan, dubbed “GPlayed”, has been identified by researchers who said the malware is both extremely dangerous and could herald a new and very dangerous age for malicious code, according to Cisco Talos researchers.

The trojan has all of the capabilities of a banking trojan as well as harboring deep cyber-espionage tools, researchers said. But it really stands out because it has been engineered to adapt after it’s deployed. According to Cisco Talos, cyberattackers can remotely load plugins, inject scripts and even compile new .NET code that can be executed.

“This trojan is highly evolved in its design,” wrote Vitor Ventura, senior security researcher a Talos Security at Cisco, in a posting Thursday on the trojan. “It has modular architecture implemented in the form of plugins, or it can receive new .NET source code, which will be compiled on the device in runtime. The plugins can be added in runtime, or they can be added as a package resource at packaging time. This means that the authors or the operators can add capabilities without the need to recompile and upgrade the trojan package on the device.”

It also contains a second malicious library (eCommon.DLL ) that’s platform-independent, the analysts found – so it may move beyond its exclusive focus on Android in the future.

Taken together, Ventura said that this may be the new face of malware — flexible and adaptable, with a Swiss Army knife-like toolbox that can be used to target pretty much anyone.

GPlayed – An All-in-One Threat

GPlayed’s existing capabilities are manifold: they include the ability to exfiltrate the user’s banking credentials as well as act as a full-fledged piece of spyware.

Upon boot, the trojan wastes no time getting down to business. It first establishes contact with the command and control (C2) server and enables the WiFi if it’s disabled. During the trojan registration stage, the trojan exfiltrates private information such as the phone’s model, IMEI, phone number and country. It will also report the version of Android that the phone is running and any additional capabilities.

Then, it registers the SMS handler, which will forward the contents and the sender of all of the SMS messages on the phone to the C2. And, in the final step of the trojan’s initialization, it requests admin privileges on the device and asks the user to allow the application to access the device’s settings.

The screens asking for the user’s approval won’t close unless the user approves the privilege escalation. If the user closes the windows, they will appear again at timed intervals.

After this initial installation phase, the malware will wait randomly between three and five minutes to activate one of its other native capabilities — payment card harvesting.

GPlayed will “open a WebView with a Google-themed page asking for payment in order to use the Google services,” explained Ventura. “This will take the user through several steps until it collects all the necessary credit-card information, which will be checked online and exfiltrated to the C2. During this process, an amount of money, configured by the malicious operator, is requested to the user.”

The request cannot be canceled or removed from the screen — it behaves “just like a screen lock that won’t be disabled without providing credit-card information,” Ventura added.

The trojan also has ability to register JavaScript snippets of code known as injects, which are executed in a WebView object created by the trojan.

“This gives the operators the capability to trick the user into accessing any site while stealing the user’s cookies or forging form fields, like account numbers or phone numbers,” Ventura explained.

In addition to this already-prodigious raft of built-in capabilities, GPlayed is also extremely flexible, and can be molded by its operators, post-installation, to do additional things.

“Given the way the trojan is built, it is highly customizable,” Ventura said. He added, “The wide range of capabilities doesn’t limit this trojan to a specific malicious activity like a banking trojan or a ransomware…This trojan shows a new path for threats to evolve.”

It also, thanks to the platform-independent eCommon.DLL module mentioned earlier, has the ability to move code from mobile platforms to desktops with no effort. “This demonstrates that malicious actors can create hybrid threats faster and with fewer resources involved than ever before,” the researcher noted.

Coming to an App Store Near You

The sample that Cisco Talos analyzed masquerades as a legitimate Google application, destined to trick users into downloading it from a fake software vendor site. It uses an icon very similar to Google Apps, with the label “Google Play Marketplace” to disguise itself.

“Mobile developers have recently begun eschewing traditional app stores and instead want to deliver their software directly through their own means,” Ventura said. “But GPlayed is an example of where this can go wrong, especially if a mobile user is not aware of how to distinguish a fake app versus a real one.”

The sample analyzed was targeted at Russian-speaking users, as most of the user interaction pages are written in Russian. However, due to its flexible nature, Cisco Talos found that changing the language would be simple and easy.

The good news is that GPlayed appears to be in the testing stage, for now. All of the URLs found on the sample were inactive, and it generates a large amount of debugging information, which would be unusual for a production-level trojan that wants to keep its logging to a minimum.

“There are some indicators that this sample is just a test sample on its final stages of development. There are several strings and labels still mentioning ‘test’ or ‘testcc’ — even the URL used for the credit card data exfiltration is named ‘testcc.php,'” said Ventura. “The only sample was found on public repositories and almost seemed to indicate a test run to determine the detection ratio of the sample. We have observed this trojan being submitted to public antivirus testing platforms, once as a package and once for each DLL to determine the detection ratio.”

Even though it seems to only be gearing up for primetime, with the continued trend towards companies choosing to release their software directly to consumers, users should be aware of threats like this coming onto the scene.

“Our analysis indicates that this trojan is in its testing stage but given its potential, every mobile user should be aware of GPlayed,” Ventura said. “These kinds of threats will become more common, as more and more companies decide to publish their software directly to consumers.”